Beruflich Dokumente
Kultur Dokumente
Controlling Security
Module Overview
This module introduces advanced concepts of controlling security in the Oracle 9i
database. Additional security features including enhanced password security and the
assigning of profiles to users will be presented. Additionally, the concepts of auditing
will be presented within this module. This module should be taken directly after the
Oracle 9i Database Administration I class Controlling Security II.
Completion Time
Estimated time to complete this module is one hour for presentation and one hour for the
lab exercises.
Location of Presentations, Labs, & Examples
All presentations, labs, and examples are located on the Oracle Database Administration
Certified Professional Training CD in the directories and file names as follows.
DBAOCP\LABS\ControlSecurityII.txt Labs
DBAOCP\PPTS\ ControlSecurityII.ppt PowerPoint Presentations
DBAOCP\EXAMPLES\ ControlSecurityII.txt Presentation Examples
DBA_OCP\DOCS\ ControlSecurityII.doc This documentation
DBA_OCP\Install\DBAOCPInstall.txt Script to create the schema for this course.
Scripts to create the schema required for the labs in this module and prior modules are
found on the Database Administration Certified Professional training CD in the directory
DBAOCP\Install\DBAOCPInstall.txt. These scripts should have been executed during
the lab after completing the SQL Query Fundamentals module.
Objectives
Administration of Passwords for Users
Password Expiration
Account Locking and UnLocking
Creating Operating System Authenticated Users
Assigning Users to Tablespaces and Quotas
Creating Profiles and Assigning to Users
Auditing
o Password Expiration
Administration of Passwords
Oracle
Database
Database Administrator
Creates a User Named User Asks DBA To Create
Marketing An Oracle User
Administration of Passwords
Creating a New User
CREATE
CREATE USER
USER M arketing IDENTIFIED
Marketing IDENTIFIED By
By ITSOK;
ITSOK;
Example of creating
a new user
• At this point, a new user is created and a new schema is created at the
same time for that new user.
Example of creating a new user
Administration of Passwords
Password Expiration and Locking
CREATE
CREATE USER
USER Marketing
Marketing Identified
Identified By
By ITSOK
ITSOK
Password
Password Expire
Expire Account
Account UnLock;
UnLock;
Password Expire
And
Account UnLock
• Specify the Password Expire clause whenever creating a new user to force the
new user to change their password whenever connecting for the first time.
• The Password Expire extra level of protection will not even let the database
administrator know the password of a user.
• If the Password Expire option is not used whenever creating the new user that
user will not be prompted for a new password.
• Specify the Account Lock option to lock the users account and not let the user
connect to the database.
• Use the Account UnLock option to allow the user to connect to the database
using their UserId and Password. The default is unlocked whenever creating a
new user.
Example of using the Password Expire option and Account Unlock option
Administration of Passwords
Operating System Authentication
Oracle Database Authentication
Method
Oracle
Oracle
Operating
Operating System
System
Remote
RemoteService
Service
DATABASE
System
TS
Data
Data
Files
Files
Users
TS
Redo
Redo Logs
Logs
Control
Control
Files Temp
Files
TS
Note: A users default quota is UNLIMITED on any tablespace they have been
assigned to and not assigned a quota.
Creating Profiles
Oracle
Database
Database administrator
Creates a profile and assigns Users Require Certain
To users Resource Privileges
• Profiles are assigned resource limits that control the use of system
resource by the user.
• Not only can individual resource limits of system resources be assign to
users, composite resource limits can be assigned. Composite resources
are a combination of resource limits that reflect a total resource threshold.
Creating Profiles
Session Level Resource Limits Call Level Resource Limits
Sessions_Per_User Logical_Reads_Per_Call
CPU_Per_Session CPU_Per_Call
Logical_Reads_Per_Session
Idle_Time
Connect_Time
Private_SGA
Creating Profiles
Create
Create Profile
Profile Support_Only
Support_Only Limit
Limit
Sessions_Per_User
Sessions_Per_User 33
Idle_Time
Idle_Time 60
60
Connect_Time
Connect_Time 600;
600;
Example of
Creating a
Profile
• The first step in assigning users to profiles is to create the profile with its
associated resource limits. The second step is to assign the user to the
profile that will be illustrated on the next PowerPoint presentation.
Example of creating the profile Support_Only
Creating Profiles
Assigning to Users
Alter
Alter User
User Support
Support
Profile
Profile Support_Only;
Support_Only;
Assign User
Profile
• After the profile has been created then users can be assigned the profile.
• Multiple users can be assigned a profile.
• A given user can only have one profile at a given point in time.
• If a profile is taken from the user than that users profile reverts to the
DEFAULT profile if not assigned another profile.
• Only database administrators can create profiles, assign users to profiles,
or take profiles from user accounts.
Example of assigning a profile to a user
Note: Profiles can be assigned to users whenever the Oracle user account is
created. Please refer to the Oracle 9i Database Administration documentation
for details.
Copyright 2002 © Douglas Wentz, Inc.
Controlling Security II Module (P) Page 15 of 49
Creating Profiles
Altering Profiles
Alter
Alter Profile
Profile Support_Only
Support_Only Limit
Limit
Sessions_Per_User
Sessions_Per_User 30;30;
Alter
Profile
Creating Profiles
Dropping Profiles
Drop
Drop Profile
Profile Support_Only
Support_Only Cascade;
Cascade;
Alter
Profile
Note: Remember the DEFAULT profile has all resource limits set to unlimited.
This could be dangerous in some Oracle environments.
Creating Profiles
Enabling Profiles
Alter
Alter System
System Set
Set Resource_Limit
Resource_Limit == True;
True;
Alter
Profile
• Profiles must be activated database wide before they will be enforced for
all users assigned to profiles.
Creating Profiles
Account Management
Failed_Login_Attempts
Password_Life_Time
Password_Reuse_Time
Password_Reuse_Max
Password_Lock_Time
Password_Grace_Time
Password_Verify_Function
• Account management security can be increased
with PROFILES
Copyright 2001 © Douglas Wentz, Inc. 15
Creating Profiles
Account Management
Alter
Alter Profile
Profile Support_Only
Support_Only Limit
Limit
Failed_Login_Attempts
Failed_Login_Attempts 1010
Password_Life_Time
Password_Life_Time 36 365;
5;
Alter
Profile
Note: For additional information about user and profiles examine the following
Data Dictionary views.
DBA_Password_Limits
Note: A set of Data Dictionary Views beginning with USER_ are also available
in most cases.
DBA_PROFILES
View
RESOURCE_COST
View
USER_RESOURCE_LIMITS
View
DBA_USERS
View
• The Data Dictionary View DBA_Users will show what user is assigned to
what profiles. Remember the Data Dictionary View User_Users will show
what profile the currently connected user is assigned to.
Example of performing a query on the Data Dictionary View DBA_Users
Auditing
Database vs. Value Based
Oracle
Database
Auditing
Database Alert Log
Database
Value
ValueBased
Based
Auditing
Classification of Operations
Oracle
Database Auditing Example
Performing
Statement
Statement DDL / DML
Insert
Privilege
Privilege Update
Deletes
Object
Object Accessing Tables
Auditing By Focus
Oracle
Database Auditing
By
ByStatement
Statement
By
ByUser
User
By
BySession
Session
By
ByAccess
Access
Whenever
WheneverSucessful
Sucessful
Whenever
WheneverNot
NotSucessful
Sucessful
Auditing
Enabling / Disabling
Step 1 Step 2
Run CatAudit Script Add Audit_Trail
To Init
@C:\oracle\ora90\rdbms\admin\cataudit
@C:\oracle\ora90\rdbms\admin\cataudit
Note: Whenever setting auditing in the Initialization Parameter File the Oracle
database must be shutdown and restarted. The parameter is not dynamic.
Audit
Audit Alter
Alter Any
Any Table
Table
By
By Sales
Sales By
By Access
Access
Whenever
Whenever Successful;
Successful;
Example of Auditing
• Example of auditing
Copyright 2001 © Douglas Wentz, Inc. 28
• The above example audits successful attempts by the user Sales to alter
any table.
Example
Audit
Audit Connect
Connect
By
By Sales
Sales
Whenever
Whenever Not
Not Successful;
Successful;
Example of Auditing
• Example of auditing
Copyright 2001 © Douglas Wentz, Inc. 29
Example of Auditing
• Example of auditing
Copyright 2001 © Douglas Wentz, Inc. 30
Example of Disabling
Auditing
Example of Disabling
Auditing
Example of Disabling
Auditing
Create
Create Table
Table Audit_Temp
Audit_Temp as
as
Select
Select ** From
From Sys.Aud$
Sys.Aud$
Where
Where TimeStamp
TimeStamp << SysDate
SysDate –– 30;
30;
Delete
Delete From
From Sys.Aud$
Sys.Aud$
Where
Where TimeStamp
TimeStamp << SysDate
SysDate –– 30;
30;
• Auditing records are placed in the Aud$ table in the System account. This
table has the possibility of becoming quite large depending on the auditing
activity initiated. Additionally, the Aud$ will probably be located in the
System Tablespace which may cause additional storage issues.
• The database administrator must periodically archive / delete records in
the Aud$ table.
• The following steps offers one method of managing the Aud$ table.
o Connect to the Oracle database as SYS. This should only be one of the few
circumstances that the database administrator should connect to the SYS
account.
o Create another table with the records from the Aud$ table. The new table should
go into a different tablespace if possible.
• Another method of managing the Aud$ would be to Export the table and
then delete the rows in the Aud$ table. The Export / Import utility will be
presented in the Oracle 9i Database Administration II class.
• Records can be deleted from the audit trail by the user SYS or any user
with DELETE ANY TABLE privilege.
Note: If auditing user connections and the Aud$ table causes the System Tablespace to
fill additional users connecting to the database may not be able to connect. The
database administrator will probably have to add additional space to the tablespace and
clear the Aud$ table.
Copyright 2002 © Douglas Wentz, Inc.
Controlling Security II Module (P) Page 37 of 49
DBA_OBJ_AUDIT_OPTS
View
• The following Data Dictionary Views can be used to view auditing results.
o DBA_Audit_Exists – Audit entries by the exists option.
o DBA_Audit_Object – Audit entries for object audits such as tables
and indexes.
o DBA_Audit_Session – Audit entries by session connects and
disconnects.
o DBA_Audit_Statement – Audit entries generated by statement
options.
o DBA_Audit_Trail – All entries in the Aud$ table.
DBA_AUDIT_OBJECT
View
Auditing Guidelines
2. If a user is not assigned a profile right after the user account was created
what will the value of the resource limit Sessions_Per_User be?
a. Unlimited
b. 99999999
c. The user will not be able to connect since the user account has not been
assigned a profile.
d. 1
5. To limit the total resource costs of a user session what resource limit
should be assigned to a profile that that user has been assigned to?
a. Composite_Limit
b. CPU_Per_Session
c. CPU_Per_Call
d. Logical_Reads_Per_Session
e. Logical_Reads_Per_Call
6. As a database administrator you want to find out what profile each user is
assigned to. What Data Dictionary view would you perform a query on?
a. User_Users
b. DBA_Profiles
c. DBA_Users
d. User_Profiles
7. To see only what roles are assigned to other roles what data dictionary
view would be utilized?
a. USER_ROLE_PRIVS
b. ROLE_SYS_PRIVS
c. ROLE_TAB_PRIVS
d. ROLE_ROLE_PRIVS
e. Can not be accomplished using the data dictionary.
8. As a database administrator you are receiving calls that users are hanging
whenever attempting to connect to the database. Auditing for successful
and unsuccessful connections for all user is currently active. Which of the
following is a likely reason for the users problem whenever attempting to
connect to the database.
a. The user has issued the incorrect userid and password.
b. The users account has been locked.
c. The Temp tablespace has become full
d. The Aud$ tables has caused the System tablespace to become full.
9. To enable auditing to the Aud$ table the Audit_Trail Initialization
Parameter must be set to?
a. DB
b. FALSE
c. OS
d. NONE
Lab Exercises
.
1. Create a new user and force that new user to change their password
whenever connecting for the first time. Be sure to grant the new user
appropriate privileges so they can connect to the database.
2. Set the user created in Lab Exercise # 1 to the following tablespaces and
quotas;
Default Tablespace Users Quota 5m
Temporary Tablespace Temp Quota 2m
3. Create a profile named Sales_Reps and assign the profile to the user created
in Lab Exercise #1. The profile should have the following resource limits;
Sessions_Per_User 1
Connect_Time 60
Password_Resuse_Time 90
Remember that resource limits must be enabled for them to work.
Attempt to connect to the user account created in Lab Exercise # 1 more than
one time. What happened and why?
4. Enable auditing and audit the user created in Lab Exercise #1 for the
following;
Every time the user successfully connects to the database.
The first time in each session that the user attempts to create a new table.
Verify that audit records was written to the Aud$ table.
Be sure to disable auditing however do not remove the Aud$ table.
5. Drop the Profile Sales_Reps created in Lab Exercise # 3 above.
6. Drop the user created in Lab Exercise # 1 above.
7. Remove the Aud$ table and disable auditing.
Lab exercise 1
Lab exercise 2
Lab exercise 3
You should only be able to connect one time since the Sessions_Per_User was
set to one.
Lab exercise 4
You must shutdown the Oracle database and place Audit_Trail = OS in the
Initialization Parameter File.
The script CatAudit.sql must be executed as SYS. This is not illustrated.
Attempt to connect as the user created in Lab Exercise # 1 above several times.
Lab Exercise 5
Lab Exercise 6
Lab Exercise 7
Run the script CatNoAudit.sql to remove the Aud$ table
Remove the Audit_Trail entry in the Initialization Parameter File or set it to
NONE. Shutdown and restart the database.